Ransomware is a rampant, ever-evolving cybersecurity threat that has become an endemic problem for all organizations.

The big picture: Fighting the cybercriminal gangs behind these attacks has become a game of whack-a-mole.

• Law enforcement seizes a gang's servers and domains, dealing a temporary blow to its operations — only for the hackers to rebuild and relaunch their attacks a few months later.

Between the lines: The 2024 takedown of LockBit was different. The perpetrators are still struggling to recover nearly a year later.

Driving the news: A new Axios analysis of the LockBit indictments provides one of the clearest views inside a ransomware gang's operations.

• The documents shared details about what a LockBit attack looked like, who operated the gang, and how LockBit communicated with freelancers who helped along the way.

By the numbers: LockBit had attacked more than 2,500 organizations worldwide prior to the takedown, according to the U.S. Justice Department.

• Over the years, victims included major corporations like Boeing and even a children's hospital.

The intrigue: The LockBit takedown is one of the only examples of law enforcement destroying a cybercriminal operations' brand reputation, alongside its technical infrastructure.

• Investigators took over the ransomware gang's dark-web site to troll its operators.
• They posted countdowns for when they'd reveal new sensitive information about the group and published a free decryption tool for victims.

What they're saying: "Our goal was to make LockBit, the variant itself in the technical ecosystem, radioactive," Brett Leatherman, deputy assistant director of the FBI's cyber operations, told Axios.

Zoom in: By many accounts, that strategy has worked so far. It's difficult to rebrand when the foundation of the brand has been destroyed and mocked.

• The gang's operator was banned from popular hacker forums Exploit and XSS, making it difficult for him to recruit new members, according to a Trend Micro report.
• Any remaining affiliates who wanted to keep working with LockBit no longer had access to the famed control panel. Whenever they opened it, they would get a message saying "law enforcement had taken control and might be in touch with them," per Trend Micro.

What we're watching: LockBit warned last month that it's planning to launch a new version of its ransomware Feb. 3.

• The gang is planning to launch five different dark-web sites, an indication that it could be strengthening its operations.

Go deeper: How a ransomware attack works

LockBit hackers weren't the criminal masterminds that the public may have believed them to be, despite the group's list of high-value victims.

Why it matters: Perceiving ransomware gangs as untouchable villains may make unsuspecting companies freeze up when they're targeted.

• Some may pay the ransom simply out of fear of business losses and to prevent a data leak, believing they may not have the resources to outsmart them.
• After paying, those victims also tend to trust their attackers to uphold their end of the bargain and delete whatever confidential data was stolen — only to have the hackers go back on their word.

The intrigue: Most of the people identified as LockBit members in various indictments were young men looking for big payoffs and street cred. Some of the top members included:

Dmitry Yuryevich Khoroshev, known by the hacker moniker "LockBitSupp," ran the group, according to a May indictment.

• Investigators say Khoroshev sat at the helm since at least September 2019, and he'd often recruit new affiliates after law enforcement took down his rivals.
• Khoroshev, a 30-something living in Russia, also would demand his freelance affiliates show their allegiance in new ways. Once, he even paid individuals $1,000 after they got a tattoo of the LockBit logo.

Ivan Kondratyev, aka "Bassterlord," is a late 20-something man who helped LockBit break into corporate networks.

• According to his indictment, Kondratyev ran his own team of hackers that he called "National Hazard Agency."
• Kondratyev was a ransomware veteran: He had previously been indicted for using ransomware from the now-defunct REvil ransomware gang, and he also worked with the RansomEXX and Avadon gangs.
• He was 27 years old at the time of the LockBit indictment.
• In the days after the February takedown, a security researcher uncovered a video purportedly of Kondratyev getting one of the famed LockBit tattoos.

Mikhail Vasiliev is one of the few affiliates who was actually arrested and taken into custody.

• He was 33 years old when he was arrested in Canada in late 2022.
• Vasiliev left a file on his computer titled "TARGETLIST," which included the name of a LockBit victim from 2021, according to his indictment. Investigators found this after executing a search warrant.
• Vasiliev also left screenshots on his computer detailing his conversations with Khoroshev on an end-to-end encrypted messaging service.

By the numbers: The U.K.'s National Crime Agency estimates that 194 people used LockBit's services leading up to the February 2024 takedown.

• 148 of them built attacks, but up to 114 of them never made any money from their work, per the NCA.
• Only 69 affiliates were active at the time of the takedown, law enforcement said.

Reality check: Most of these men live in Russia, making an actual arrest unlikely since the U.S. doesn't have an extradition treaty with the Russian government.

• But there's always the chance one of them gets overly confident and leaves the country to go on vacation in a few years.

At CES in windy Las Vegas this week, security practitioners gave a sneak peek of the tools they're releasing this year.

Why it matters: The new tools highlight the likely emerging trends of 2025, including deepfake detection, online scam alerts and AI-powered technologies.

Here's a look at three products I demoed while on the floor this week:

🔔 McAfee is rolling out a Scam Detector tool this year that will flag scam emails and send push alerts about likely scam text messages.

• Coming this spring, the new feature will send a notification to mobile app users if a scammy text message lands on their device. That includes unsuspecting texts that just ask questions and don't include phishing links.
• McAfee will also share details about why it flagged a suspicious email or text message so consumers can learn more about how scammers operate.
• Yes, but: For the time being, the feature won't be available for iMessage, the company told me. That's because of challenges with scanning the contents of messages that come in.

📹 Hailo, an Israeli AI-focused chipmaker, demoed a new AI vision processor that lets surveillance cameras identify people in real time using specific queries.

• Theoretically, users could add a filter to a camera saying to notify them only if the camera sees a "man wearing a black jacket" using this new tool. Users could also put multiple filters on the camera at once.
• Right now, the feature is just a proof of concept, but CEO Orr Danon told me he's hopeful the company will find a partner that may want to embed this technology into a device this year.

📲 Accenture rolled out a public service campaign to educate people about the power of deepfakes and how to spot them in the wild.

• During a demo, the company was able to deepfake my likeness and voice using one photo and roughly 15 seconds of audio to create three videos of me committing various crimes, including stealing a neighbor's package.
• Accenture also demoed its work with Reality Defender, which provides live audio deepfake detection during phone calls — a tool that can be especially helpful for businesses with customer support call centers.

@ D.C.

🇨🇳 China-backed hackers have breached the Committee on Foreign Investment in the United States, a Treasury Department office that reviews foreign investments for national security risks. (CNN)

✍🏻 A new Biden cybersecurity executive order, likely to be signed next week, will focus on how agencies procure security tools and how they vet the tools they're using, according to a draft copy. (Nextgov)

⭐️ Some internet-connected products will soon come with the equivalent of an Energy Star label that measures cybersecurity. (NBC News)

@ Industry

🙉 Apple said in a statement that it has never used Siri data to build marketing profiles and has never made that data available to advertisers after the company agreed to settle a lawsuit about the voice assistant. (The Verge)

☁️ Wiz tapped Fazal Merchant as its president and chief financial officer as the cloud security startup prepares for its IPO. (Reuters)

⌚️ More AI wearables are embedding microphones that are always on and listening for queues from the wearers, raising privacy concerns. (Wired)

@ Hackers and hacks

⚠️ Hackers are actively exploiting a critical security flaw in Ivanti's Connect Secure, Policy Secure and ZTA Gateways products, each of which is widely used across U.S. government agencies. (CyberScoop)

🗺️ Thousands of the world's most popular apps, including Candy Crush and Tinder, are likely co-opted as part of a hack of location data company Gravy Analytics. (404 Media)

🚌 PowerSchool — an ed tech company — told customers that hackers have stolen personal data about students and teachers in K-12 school districts across the U.S. (TechCrunch)

🌇 My view from the plane home from Las Vegas this week: Always sit in the window seat!